Summary - "NASA Repeatedly Attacked, Jet Propulsion Lab Compromised" This article discusses NASA being under “heavy attack” in the past two years by users trying to gain access to their network and infecting their machines with malware. NASA’s Inspector General, Paul Martin, stated “There have been a total of 5,408 security incidents in 2010 and 2011 that resulted in either malware being installed on NASA systems or attackers gaining unauthorized access to the agency's systems.” The worst of the attacks was on their jet propulsion lab where attackers gained full system access to copy, modify, or delete sensitive files and mission critical systems along with the access to modify system logs to hide these activities. No root cause for the success of these attacks was identified. Rather, there were several factors over the two year span that contributed. Some of the controls that should have been in place to mitigate the risk are as follows: 1. Adequate IT security monitoring and oversight: According to the article, “an audit in May 2010 found that only 24 percent of "applicable coputers" on a mission network were monitored to received critical software patches, and only 62 percent were monitored for technical vulnerabilities.” Constant monitoring is required to identify vulnerabilities. In addition, software needs to be patched as vulnerabilities are realized. 2. Proper wiping/sanitizing of disposed machines: According to the article, “another audit in December 2010 found the agency was not properly sanitizing or disposing equipment at four different centers and sensitive data was still on computers being prepared for sale.” The sanitation has to go beyond simple disk reformatting as there is software available for hackers to recover this information. All hard drives need to be completely deleted prior to disposal of any computer. 3. Proper physical security of IT assets: The article also stated “other incidents reported by Martin included a laptop stolen in March 2011 containing algorithms used to control the International Space Station. Thieves had stolen 48 notebooks or mobile devices from NASA between April 2009 and April 2011, Martin said.” This many devices being stolen indicates a physical access control issue. As a way to mitigate the risk, NASA could install trackers on their mobile devices to be able to pinpoint their location. Another alternative would be to ensure they have remote wiping capabilities in order to be able to simply remove files from laptops once they are reported stolen. 4. Proper encryption techniques: Beyond the theft of the laptops, the article goes on to state there was an even bigger issue. “The thefts are even more worrying when considered that as of Feb. 1 this year, only one percent of NASA's portable devices were encrypted, according to Martin.” NASA should make it required practice to encrypt the entire device (i.e. laptop) to ensure confidentiality. That way, if a laptop is stolen, the unauthorized parties won’t be able to access any files stored on the device since they won’t have the proper credentials to be able to access them.
Summary - "The Real Lessons Of Gawker's Security Mess"
This article provides an in-depth account of how Gawker, a gossip site, was severely breached over the course of multiple months. The full scale of the data breach included the leaking of usernames and passwords for both users of the Gawker site and Gawker employees along with credentials for other sites used by the parties, credentials for internal systems used by Gawker (e.g. Google applications and other collaboration tools), leaking of Gawker’s source code, leaking of a future site design to be used by Gawker, and FTP credentials for other sites Gawker had worked with. The article explained how the attack, openly linked to a hacker group called Gnosis, was instigated by comments from higher-level Gawker employees on a web chat platform (Campfire) demonstrating their hubris following a denial-of-service attack completed by members of the 4Chan board earlier in the year. In these comments they mocked the attack, stating “we are not scared of 4Chan here […]” and other similar comments.
The article goes on to detail how there multiple warning signs that a compromise had occurred which were ignored or downplayed by Gawker. Several of the controls that could have prevented this breach are as follows:
1. Having properly trained IT security personnel: Gawker founder, Nick Denton, had reported odd activity nearly one month prior to the public notification acknowledging a breach, including changed username, changed password, and inaccurate login activity on the Gawker site and other company platforms. However, his request for investigation denied these were malicious attacks since the activity requests came from his credentials. Properly trained IT personnel will be able to realize that activity such as this is a strong indicator an outsider has gained unauthorized access.
2. Proper password management policies and techniques: Gawker should have been using a stronger password encryption method instead of using DES, which had been openly cracked in the 1990s and superseded by other methods in 2002. In addition, the breach allowed the attackers to gain access to other sites affiliated with Gawker due to employees and users using weak passwords, such as “password,” “qwerty,” or their first name with a number added to the end, on multiple sites. Employees should be trained to understand why using the same passwords on multiple sites is a risky practice and should also be required to use passwords containing a variation of letters, numbers, and special characters. In addition, these passwords should be required to be updated periodically throughout the year without the ability to recycle old passwords.
3. Properly updating systems and programs: Gawker had been using versions of Linux on their servers which were three years old. Without updates, their software had vulnerabilities that allowed the attackers to gain access to their systems. Software should be patched as vulnerabilities are realized and updated as new versions become available.
4. Policies for appropriate employee behavior (especially in regards to posting comments about customers): Nearly six months prior to the official breach notice coming out,
Gawker officials were notified that site users’ usernames and password had been leaked on the 4Chan web board. The officials openly downplayed the situation on their Campfire web platform stating it “was not important” because “it was only the peasants," among other detrimental comments. These conversations were later made public by Gnosis as part of the data leak. Employees need to be careful in what is said and the vehicle used for communication. When these types of statements are transmitted electronically, it can give hackers motivation to devote the time and attention needed to successfully attack a company.
This article discusses NASA being under “heavy attack” in the past two years by users trying to gain access to their network and infecting their machines with malware. NASA’s Inspector General, Paul Martin, stated “There have been a total of 5,408 security incidents in 2010 and 2011 that resulted in either malware being installed on NASA systems or attackers gaining unauthorized access to the agency's systems.” The worst of the attacks was on their jet propulsion lab where attackers gained full system access to copy, modify, or delete sensitive files and mission critical systems along with the access to modify system logs to hide these activities.
No root cause for the success of these attacks was identified. Rather, there were several factors over the two year span that contributed. Some of the controls that should have been in place to mitigate the risk are as follows:
1. Adequate IT security monitoring and oversight: According to the article, “an audit in May 2010 found that only 24 percent of "applicable coputers" on a mission network were monitored to received critical software patches, and only 62 percent were monitored for technical vulnerabilities.” Constant monitoring is required to identify vulnerabilities. In addition, software needs to be patched as vulnerabilities are realized.
2. Proper wiping/sanitizing of disposed machines: According to the article, “another audit in December 2010 found the agency was not properly sanitizing or disposing equipment at four different centers and sensitive data was still on computers being prepared for sale.” The sanitation has to go beyond simple disk reformatting as there is software available for hackers to recover this information. All hard drives need to be completely deleted prior to disposal of any computer.
3. Proper physical security of IT assets: The article also stated “other incidents reported by Martin included a laptop stolen in March 2011 containing algorithms used to control the International Space Station. Thieves had stolen 48 notebooks or mobile devices from NASA between April 2009 and April 2011, Martin said.” This many devices being stolen indicates a physical access control issue. As a way to mitigate the risk, NASA could install trackers on their mobile devices to be able to pinpoint their location. Another alternative would be to ensure they have remote wiping capabilities in order to be able to simply remove files from laptops once they are reported stolen.
4. Proper encryption techniques: Beyond the theft of the laptops, the article goes on to state there was an even bigger issue. “The thefts are even more worrying when considered that as of Feb. 1 this year, only one percent of NASA's portable devices were encrypted, according to Martin.” NASA should make it required practice to encrypt the entire device (i.e. laptop) to ensure confidentiality. That way, if a laptop is stolen, the unauthorized parties won’t be able to access any files stored on the device since they won’t have the proper credentials to be able to access them.
Summary - "The Real Lessons Of Gawker's Security Mess"
This article provides an in-depth account of how Gawker, a gossip site, was severely breached over the course of multiple months. The full scale of the data breach included the leaking of usernames and passwords for both users of the Gawker site and Gawker employees along with credentials for other sites used by the parties, credentials for internal systems used by Gawker (e.g. Google applications and other collaboration tools), leaking of Gawker’s source code, leaking of a future site design to be used by Gawker, and FTP credentials for other sites Gawker had worked with. The article explained how the attack, openly linked to a hacker group called Gnosis, was instigated by comments from higher-level Gawker employees on a web chat platform (Campfire) demonstrating their hubris following a denial-of-service attack completed by members of the 4Chan board earlier in the year. In these comments they mocked the attack, stating “we are not scared of 4Chan here […]” and other similar comments.
The article goes on to detail how there multiple warning signs that a compromise had occurred which were ignored or downplayed by Gawker. Several of the controls that could have prevented this breach are as follows:
1. Having properly trained IT security personnel: Gawker founder, Nick Denton, had reported odd activity nearly one month prior to the public notification acknowledging a breach, including changed username, changed password, and inaccurate login activity on the Gawker site and other company platforms. However, his request for investigation denied these were malicious attacks since the activity requests came from his credentials. Properly trained IT personnel will be able to realize that activity such as this is a strong indicator an outsider has gained unauthorized access.
2. Proper password management policies and techniques: Gawker should have been using a stronger password encryption method instead of using DES, which had been openly cracked in the 1990s and superseded by other methods in 2002. In addition, the breach allowed the attackers to gain access to other sites affiliated with Gawker due to employees and users using weak passwords, such as “password,” “qwerty,” or their first name with a number added to the end, on multiple sites. Employees should be trained to understand why using the same passwords on multiple sites is a risky practice and should also be required to use passwords containing a variation of letters, numbers, and special characters. In addition, these passwords should be required to be updated periodically throughout the year without the ability to recycle old passwords.
3. Properly updating systems and programs: Gawker had been using versions of Linux on their servers which were three years old. Without updates, their software had vulnerabilities that allowed the attackers to gain access to their systems. Software should be patched as vulnerabilities are realized and updated as new versions become available.
4. Policies for appropriate employee behavior (especially in regards to posting comments about customers): Nearly six months prior to the official breach notice coming out,
Gawker officials were notified that site users’ usernames and password had been leaked on the 4Chan web board. The officials openly downplayed the situation on their Campfire web platform stating it “was not important” because “it was only the peasants," among other detrimental comments. These conversations were later made public by Gnosis as part of the data leak. Employees need to be careful in what is said and the vehicle used for communication. When these types of statements are transmitted electronically, it can give hackers motivation to devote the time and attention needed to successfully attack a company.
50/50